Detection and Containment Flashcards

1
Q

The OODA Loop is a decision-making model created to help responders think
clearly during the “fog of war”

A

OODA Loop

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

OODA Loop

A

Observe
Orient
Decide
Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Observe

A

Observe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Involves reflecting on what has been found during observations and considering
what should be done next

A

Orient

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Makes suggestions towards an action or response plan while taking into
consideration all of the potential outcomes

A

Decide

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Carry out the decision and related changes that need to be made in response to
the decision

A

Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Defensive Capabilities

A

Detect
Destroy
Degrade
Disrupt
Deny
Deceive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Identify the presence of an adversary and the resources at their
disposal

A

Detect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Render an adversary’s resources permanently useless or ineffective

A

Destroy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Reduce an adversary’s capabilities or functionality, perhaps temporarily

A

Degrade

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Interrupt an adversary’s communications or frustrate or confuse their
efforts

A

Disrupt

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Prevent an adversary from learning about your capabilities or accessing
your information assets

A

Deny

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Supply false information to distort the adversary’s understanding and
awareness

A

Deceive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Determine if an incident has taken place, triage it, and notify relevant
stakeholders

A

Detection and Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Triage and categorization are done based on an impact-based or taxonomy-based
approach

A

Impact-based Approach
Taxonomy-based Approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A categorization approach that focuses on the severity of an incident,
such as emergency, significant, moderate, or low

A

Impact-based Approach

17
Q

An approach that defines incident categories at the top level, such as
worm outbreak, phishing attempt, DDoS, external host/account
compromise, or internal privilege abuse

A

Taxonomy-based Approach

18
Q

An incident that affects mission essential functions and therefore the organization
cannot operate as intended

A

Organizational Impact

19
Q

An incident that is limited in scope to a single department, small user group, or a
few systems

A

Localized Impact

20
Q

An incident measurement based on the direct costs incurred because of an
incident, such as downtime, asset damage, penalties, and fees

A

Immediate Impact

21
Q

An incident measurement based on the costs that arise both during and following
the incident, including damage to the company’s reputation

A

Total Impact

22
Q

Any incident where data is modified or loses integrity

A

Data Integrity

23
Q

Incidents that disrupt or threaten a mission essential business function

A

System Process Criticality

24
Q

An incident that degrades or interrupts the availability of an asset, system, or
business process

A

Downtime

25
Q

An incident that creates short-term or long-term costs

A

Economic

26
Q

An incident that is linked to the TTP of known adversary groups with extensive
capabilities

A

Data Correlation

27
Q

An incident which the capabilities of the malware are discovered to be linked to
an adversary group

A

Reverse Engineering

28
Q

An incident which requires extensive recovery time due to its scope or severity

A

Recovery Time

29
Q

An incident which was not discovered quickly

A

Detection Time

30
Q

Rapid containment is important to an incident response
Limit the scope and magnitude of the incident by securing data and limiting
impact to business operations and your customers

A

Containment

31
Q

A mitigation strategy that involves removing an affected component from
whatever larger environment it is a part of

A

Isolation

32
Q

A mitigation strategy that achieves the isolation of a host or group of hosts using
network technologies and architecture

A

Segmentation